Netherlands health provider Carinova offers in-home visits, domestic help, and constant-care facilities for elderly patients and people with illnesses or disabilities. After a Microsoft Software Asset Management (SAM) Cybersecurity review of its IT environment and practices, the company learned how to reduce its cybersecurity risks and prepare for General Data Protection Regulation (GDPR, Privacy law) compliance. Based on the Quexcel SAM team’s solution recommendations, Carinova gained a more flexible workplace and IT infrastructure in the cloud.

“Based on the SAM cybersecurity engagement, we decided to adopt Microsoft 365 cloud technologies to manage all our mobile devices, with the data protection and identity management features we need for GDPR compliance.”
Ton Kuiper: IT Specialist, Carinova

Health provider Carinova is committed to providing trusted, personalized care throughout the eastern part of the Netherlands. The company offers around-the-clock health services at its eight residential facilities, and its mobile caregivers visit patients’ homes up to five times a day. To maintain the public’s confidence and remain a top choice, Carinova places a high priority on data protection and compliance with healthcare standards. Employees work with personally identifiable information (PII) data that is highly sensitive, like electronic health records. This data falls under regulations such as General Data Protection Regulation (GDPR) privacy laws that went into effect in May 2018.

IT plays a big part in GDPR compliance, but Carinova sees it as a strategic advantage, too. “There’s a lot of demand for healthcare professionals here, and a small pool of eligible workers. To attract the best talent, health providers need to offer a modern, flexible cloud-based workplace,” says Ton Kuiper, IT Specialist at Carinova. Kuiper notes that, in contrast, the IT infrastructure at Carinova took a lot of time to maintain, so the company was moving to the cloud to streamline operations and improve security.
In early 2017, the company contacted a Microsoft account team to inquire about migrating to Microsoft Office 365 productivity services. Carinova also arranged for a Microsoft Software Asset Management (SAM) evaluation of its IT environment.

The cybersecurity review process
IT provider Quexcel, a Microsoft SAM Solution Expertise Partner and member of the Microsoft SAM Partner Advisory Council, conducted a cybersecurity review, which included a baseline assessment of the technologies Carinova was using and what software licenses the company was entitled to use. The SAM cybersecurity engagement focused on safety improvements and GDPR readiness. It also included an interview with the data protection officer for Carinova and an assessment of the IT infrastructure. Peter van Uden, Software Licensing and SAM Specialist at Quexcel, says, “We review technology, processes, and people. This helps us get a more comprehensive view of the environment. What many organizations don’t realize is that you can have the most cutting-edge solution on the market, yet overlook how humans will actually handle this technology to keep your data secure.”
Based on the SAM assessment, Carinova learned that its IT infrastructure was basically secure. There were some areas that needed updates to meet GDPR compliance, and the company could benefit from more security training and updated application virtualization to accommodate its mobile workforce. The SAM team suggested products and practices to expand the benefits of an integrated cloud platform by adding visibility, simplified management, and scalable, flexible device and identity management.

Ready for GDPR compliance
Carinova encrypted communications between its IT infrastructure and used a simple mobile device management (MDM) solution, but the solution didn’t comply with needs like tracking the company’s device inventory and usage and performing remote data wipes. The SAM team advised migrating to a solution that also included rights management services to prevent healthcare professionals from storing sensitive data on their devices. “Based on the SAM cybersecurity engagement, we decided to adopt Microsoft 365 cloud technologies to manage all our mobile devices, with the data protection and identity management features we needed for GDPR compliance—and safeguarding patient information while supporting our employees in the field,” says Kuiper.
With GDPR in place, notes van Uden, organizations will need to confirm whether the people signing in are who they say they are and have the rights to access a secured environment. He says, “SAM cybersecurity engagements give organizations a complete picture of unapproved application use by looking for shadow IT and dark data. We often recommend adding identity management with Microsoft 365, to track which applications employees install and use.”

Carinova will use its new solution to separate business information and non-approved apps, as per GDPR standards. This will help prevent accidental transfer of protected information to an unsecured environment. In addition, now mobile healthcare workers chat with colleagues using Microsoft 365 services like Skype for Business, which makes it easy to keep PII in a secured environment when they consult with colleagues on details of a patient’s case.

A more aware workforce for improved security
“Security should be holistic,” says van Uden. “For example, if IT requires employees to update passwords regularly and sign in to core applications with company credentials, it must also make it easy for people to avoid copying data from that secured environment to an unsecured one. Employees must be aware of how they might introduce risks by understanding how their actions affect the IT environment.”With cyberthreats evolving by the day, closing technology loopholes and posting rules is not enough. Security is strongest when employees are aware of how they contribute to it, which safety processes are in place (and why), and all technology components are configured properly. Carinova now holds regular educational workshops and offers an e-learning environment where employees can improve their security skills. “We’re much more aware,” says Kuiper. “Today, with any new process, we review security concerns a lot more before we implement anything.”
Now that the Microsoft SAM cybersecurity engagement has concluded, Carinova will start a six-month Quexcel SAM in a BOX Managed SAM Service. “When organizations configure their IT environments optimally to manage business processes, empower workers, and support cybersecurity, they’re on the cutting edge of technology and compliance,” says van Uden. Managed SAM supports digital transformation efforts by focusing on ways to control costs, manage business and legal risks, optimize software licensing investments, and align IT investments with business needs. Kuiper’s assessment of the SAM cybersecurity engagement is in line with this thinking. ”We’re ready for GDPR and are pursuing our strategy of doing more in the cloud,” he says. “Carinova employees are much more aware and educated around security. When it comes to our IT goals, we see smooth sailing ahead, and we know where we’re headed.”

“We’re ready for GDPR and are pursuing our strategy of doing more in the cloud. Carinova employees are much more aware and educated around security. We know where we’re headed with IT now, and we see smooth sailing ahead.”
Ton Kuiper: IT Specialist, Carinova

“What many organizations don’t realize is that you can have the most cutting-edge solution on the market, yet overlook how humans will actually handle this technology to keep your data secure.”
Peter van Uden: Software Licensing and SAM specialist, Quexcel